Possible to load non-public file from same web server?

Question

I'm working on a web-based Flash application for a client which loads an external file from the same directory it is located in on the server. I use a URLRequest to load the file:

loader.load(new URLRequest("Config.xml));

Right now the Config.xml file uses chmod 644, which gives it public read access. However, the client would like to protect the configuration file so that it can't be downloaded by third-parties.

I'm thinking that it won't be possible to hide the file by removing public read permission (chmod 640) because then the Flash document, which is executed client-side, will be unable to read it. My tests seem to confirm this. Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?

score 1 · Answer 1 · answered Mar 22 '16 at 21:27

No. Flash is using a regular HTTP request to load the config file, so of course it can't get the file if it's not publicly-accessible.

What you could do is require authentication for the config file and include credentials in your URLRequest declaration. However, this still suffers from the weakness of someone sniffing the traffic to discover the authentication, and then running that request again with another tool.

Ultimately, you can't have it both ways: Either your config is accessible and insecure, or it's secure but unusable.

Aaron Beall · Accepted Answer · 2016-03-23T14:30:32.290

1

As others have already said, you can't do this. For the SWF to be able to load the file from the client-side it must be public.

A possible solution that might be good enough for your client is to embed the XML file contents in your HTML on the server side, for example as FlashVars or JavaScript output, then the SWF does not need to load the XML file directly and you don't need to make the file public.

For example:

Server-side PHP:

<?php
$xml = file_get_contents("Config.XML");
$encodedXml = rawurlencode($xml);
?>

<object type="application/x-shockwave-flash" data="my-flash.swf" width="550" height="400">
  <param name="movie" value="my-flash.swf" />
  <param name="FlashVars" value="config=<? echo $encodedXml ?>"/>
</object>

Client-side AS3:

var xml:XML = XML(stage.loaderInfo.parameters.config);

Of course someone could look at your HTML source and decode the XML themself, but any way you get the XML content into your SWF will expose that possibility, to varying levels of difficulty. You could make the encoding more obfuscated (url encoding is easy to spot) or encrypted to make it harder to find.

edited Mar 23 '16 at 14:30

answered Mar 22 '16 at 22:46

Aaron Beall

49,769
26
85
103

Thank you, I appreciate that you have provided workarounds in addition to answering the core question. – user45623 Mar 22 '16 at 23:37
@user45623 I don't see any workaround here, Aaron has just changed the XML content with a HTML one, so the data is always publicly accessible, this is absolutely not a solution at all to your problem ... – akmozo Mar 22 '16 at 23:45
@akmozo Well, it literally makes the XML file not public but the contents still loaded by the swf client, which is what was asked. Like I said the XML content is there in the HTML, but encoded and it could be encrypted, etc. There's no way to make the content client-side and inaccessible as we all stated, this is just a workaround to make the XML file inaccessible as is. – Aaron Beall Mar 23 '16 at 00:24
@Aaron I think that the problem is how to protect the XML content (the configuration settings used by the SWF) and not the file itself. – akmozo Mar 23 '16 at 00:30
This is the question: "Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?" and the accepted answer shows a solution that does expose the xml completely to the public and is in no way better than just loading the (public) file directly. I'm always amused when a OP accepts an answer that is the opposite of what he ask. There are of course many solutions available none of which have been proposed here but OP is satisfied so no need to post another answer ... – BotMaster Mar 23 '16 at 15:09
@BotMaster Propose a better answer. ;) – Aaron Beall Mar 23 '16 at 15:24
OP is satisfied so no need for another answer, I will only say, client side cannot access private files on a server as it was already said, but server side can and if you ask politely your server side (in other words write the code for it) your server side will grant you a copy of your private file. – BotMaster Mar 23 '16 at 20:27
@BotMaster I was accepting the answer on the grounds that it answers my yes-or-no question with a no. I'm not planning to use Aaron's workaround, but appreciate the effort. If there are better solutions that haven't been proposed, then by all means, propose them. I take it you downvoted the question because you weren't happy with the answer I picked? – user45623 Mar 25 '16 at 02:37
@BotMaster "Ask the server politely" doesn't sound like much of a solution to me. Flash runs client-side, so how would I take any advantage of a server-side solution? – user45623 Mar 25 '16 at 02:40
I did not downvoted anything. You say "how would I take any advantage of a server-side solution?" which means you misunderstand server side operations. I should then post an answer. – BotMaster Mar 25 '16 at 11:31

score 0 · Answer 3 · answered Mar 22 '16 at 21:25

0

The short answer :

No, you can not do that.

The long answer :

No, you can not do that because, as you already know, Flash Player is a client-side technology, so it's exactly the same as a browser, and any file loaded by your SWF is accessible and visible for absolutely any person who has access to that SWF file, also forget about files access permissions which didn't has any effect in this situation.

Note here that you can use some encryption system to encrypt the content of that file and your SWF will decrypt it, but the problem here, is that you have also to encrypt your SWF file which, to my knowledge, is not a very reliable technique because SWF decompilers are really very efficient nowadays ...

...

Hope that can help.

answered Mar 22 '16 at 21:25

akmozo

9,829
3
28
44

"also forget about files access permissions which didn't has any effect in this situation" Well, if you remove public read permission from the file, the SWF can't access it, so it does have an effect. – user45623 Mar 22 '16 at 23:35
@user45623 Files access permissions has nothing to do about all that because we can not load anything with Flash Player which isn't publicly accessible, so that does not have any effect because if the file isn't publicly accessible so it's not usable at all in this situation. – akmozo Mar 22 '16 at 23:47

score -1 · Answer 4 · answered Mar 25 '16 at 11:52

A client side app (Flash or other) cannot read or load by itself any files from a server even from the server it's coming from. When it loads a public xml file, it makes a request for it and if the file has the right permission and the server knows how to serve that file, the request is granted and the file is served. This is very much so a server side operation so you can know see that when you say: "Flash runs client-side, so how would I take any advantage of a server-side solution?" this is a clear misunderstanding of how things work on client side and server side because if you do load a xml file then you do take advantage of a server side solution. Now this being said, how to do it when the file permission if turned of.

It is common to not allow access to files or directories on a server, in that case a client side cannot be granted access to those directly. So this is when you need to use a serve side technology to serve those files. Serve side technology like for example PHP can access all files on the server and make copy of them or change temporarily their permission etc ...

You can serve to your client side those forbidden files by simply writing a serve side script that would serve the file to you depending on some criteria you define (or none). The server side can change the permission allowing you to download it and then change it back, or it can copy the file and put it in a public accessible place and then delete it. You can also change the extension of your xml (to .whatever for example) and not provide a mimetype for it, even though the file is public the server won't be able to serve it, you can then make you serve side script change its extension for you on a per need basis. There's just hundreds of ways to do it including web services and even AMF and all that while the needed file is not publicly accessible. But yes you have to write server side scripts which is a VERY COMMON way to serve files to client side.

"this is a clear misunderstanding of how things work on client side and server side because if you do load a xml file then you do take advantage of a server side solution" I understand how the client requests files/data from the server, the wording in your comment made me think you were suggesting this could be handled *entirely* on the server-side with no client-side interaction. Obviously there isn't enough room to explain your idea in a comment. — user45623, Mar 25 '16 at 17:07
I understand how to use PHP scripts to retrieve files or data. Your suggestions all still require making the file publicly accessible in one form or another, even if it's temporary. Someone who puts the time into it is still going to be able to figure out how to download the file/data, they just have to know how to mimic the request from the app. Flash is unfortunately easy to decompile and reverse-engineer, so the risk of someone finding out the request method is real. Frankly I think changing the extension of the file or temporarily unhiding and then rehiding it is silly. — user45623, Mar 25 '16 at 17:13
You run on wishful thinking and preconception. Every single online secure system run on those principles that I exposed, the process of accessing private data from a db or a private file use the same principle, authentication. You call that silly and insecure, fine now tell the whole world how to do it correctly. As for Flash being "easy to decompile and reverse-engineer" as opposed to what? The only other relevant web technology is javascript which you don't have to decompile to read so what was the point of that comment? — BotMaster, Mar 25 '16 at 17:25
Modern security methods rely on authentication and data transfer over a securely encrypted connection using SSL or TLS, not temporarily changing the chmod flags or mimetype of the file. I rather get the impression that _you_ are the one operating on wishful thinking and preconception. — user45623, Mar 27 '16 at 23:52
I wrote that definition myself. I think this will conclude our discussion. — user45623, Mar 28 '16 at 21:41

Possible to load non-public file from same web server?

4 Answers4